Risk Appetite vs Risk Tolerance vs Risk Thresholds
Aligning Risk Appetite, Risk Tolerance & Risk Thresholds With Strategic, Operational & Tactical Business Planning Activities
The alternative to risk management is crisis management. The information on this page exists to provide practical guidance on Enterprise Risk Management (ERM) for cybersecurity and data privacy practitioners, specifically focused on how to align risk appetite, risk tolerance and risk thresholds with an organization's strategic, operational and tactical business planning activities. What is presented is a holistic approach that has practical applications.
The concepts of risk appetite, risk tolerance and risk thresholds are not independent terms that are meant to stand by themselves, since they share a dependency that needs to be understood to create a coherent risk management strategy. Likewise, those terms are also directly linked to strategic, operational and tactical decision making.
Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney.
White Paper - Enterprise Risk Management (ERM) - Practitioner's Guide To Align Risk Appetite, Risk Tolerance & Risk Thresholds With Strategic, Operational & Tactical Business Planning Activities
The intent of this white paper is to demonstrate how integrating business planning with risk management practices is in your organization's best interest, since it can decrease liability and increase the effectiveness those cybersecurity and data privacy practitioners who are working to implement the organization's strategy. Click the image below to download the PDF.
Summarizing The Integration of Risk Managment & Business Planning
These key concepts of how risk appetite, risk tolerance and risk thresholds interact with strategic, operational and tactical actions and decisions can be visualized in the following graphic:
- At the strategic layer, where corporate-level actions and decisions are made, the organization's risk appetite is defined. The scope of the risk appetite can be organization-wide or compartmentalized to provide enhanced granularity.
- At the operational level, where Line of Business (LOB)-level actions and decisions are made, the organization's risk tolerance is put into practice. The organization's risk tolerance is defined by its established risk appetite.
- At the tactical level, where department / team-level actions and decisions are made, the organization's risk thresholds are used to provide criteria to assess operational risk. That operational risk must adhere to the organization's risk tolerance and therefore, its risk appetite.
From a hierarchical perspective:
- An organization's risk appetite exists at the corporate level to influence actions and decisions, specifically the organization's strategy. The strategy provides prioritization and resourcing constraints to the organization's various LOB.
- The risk appetite helps define the organization's risk tolerance to influence actions and decisions at the LOB level. Risk tolerance influences objectives, maturity targets and resource prioritization.
- Risk thresholds affect actions and decisions at the department and team levels. Risk thresholds influence processes, technologies, staffing levels and the supply chain (e.g., vendors, suppliers, consultants, contractors, etc.). Defined risk thresholds provide criteria to assess operational risks that exist in the course of conducting business.
What is important to keep at the forefront of risk management considerations is the material nature of risk, as it pertains to the organization. Risks that have a material impact include, but are not limited to:
- Confidentiality, Integrity & Availability (CIA) of the organization's sensitive/regulated data;
- Supply chain security;
- Macroeconomic forces;
- Socio-political changes;
- Statutory / regulatory changes;
- Competitive landscape;
- Diplomatic sanctions (e.g., taxes, customs, embargoes, etc.); and
- Natural / manmade disasters (e.g., pandemics, war, etc.).